1. Without turning anything on, chain the forensic Mac to the firewire drive to the suspect’s computer using firewire cables.

1. Without turning anything on, chain the forensic Mac to the firewire drive to the suspect’s computer using firewire cables.

+

2. Hold down the “Option” key on the suspect’s computer and turn it on.

2. Hold down the “Option” key on the suspect’s computer and turn it on.

+

3. If the suspect’s computer '''does not''' ask for a password, then '''turn it off'''. If the computer '''does''' ask for a password, then '''turn it off'''. You cannot do a simple TDM acquisition if a password is required. You will have to either:

3. If the suspect’s computer '''does not''' ask for a password, then '''turn it off'''. If the computer '''does''' ask for a password, then '''turn it off'''. You cannot do a simple TDM acquisition if a password is required. You will have to either:

+

a. remove the drive and do a direct acquisition; or,

a. remove the drive and do a direct acquisition; or,

+

b. modify the memory by adding or removing chips and zapping the PRAM.

b. modify the memory by adding or removing chips and zapping the PRAM.

Revision as of 05:36, 3 August 2012

Prepare a clean firewire drive in HFS+ using Mac Disk Utility; name the volume “Target”. This process relies on being able to identify which drive is the suspect's drive by knowing its size. Many new Macs are shipping with 250GB drives. Having a unique firewire target drive size will help you identify it later, as you will see below.

Note the sizes of all drives on your forensic Mac, if you don't already know. (Go to the Apple menu>About This Mac>More info>ATA.)

Connecting

1. Without turning anything on, chain the forensic Mac to the firewire drive to the suspect’s computer using firewire cables.

2. Hold down the “Option” key on the suspect’s computer and turn it on.

3. If the suspect’s computer does not ask for a password, then turn it off. If the computer does ask for a password, then turn it off. You cannot do a simple TDM acquisition if a password is required. You will have to either:

a. remove the drive and do a direct acquisition; or,

b. modify the memory by adding or removing chips and zapping the PRAM.

To zap the PRAM, start up the computer and as soon as you hear the startup 'bong', hold down these four keys:
Command-Option-P-R.
It will bong again, and again. Continue to hold down these four keys until it has 'bonged' a total of three times
(the initial startup bong and two more after you hold down those four keys).

4. Assuming that no password was needed, hold down the “T” key and turn the suspect’s computer back on. The computer will eventually display the firewire logo on the screen and is then ready for TDM.

Acquisition

1. Turn on the acquiring Mac (with the disk arbitration daemon disabled)
2. Start the Terminal. And at the command prompt run:

cd /dev
ls disk?

This will list all drives that are seen by the system. A list containing at least three drives will appear:

disk0

disk1

disk2

One of these drives is the suspect’s. The other two are either the forensic Mac’s OS or the Target drive. You won’t necessarily know which is which, so you need to query them to see their size, which will give you a hint.

5. Partitions on an HFS are called “slices.” You can see in bold that this drive has a 34.6G slice listed under the number 9 and a 2.6G under line 10. Add them up and your looking at a “40G” drive. If the result is the wrong size, then you are looking at the wrong drive. Repeat step 4 using disk0 and disk2 to identify all the disks.

6. Lets assume that your Target volume is disk2 and is a 120GB. If it is formatted as HFS, then the query in step 4 should return something like this.

Notice that slice 3 is 114.4 GB in size. Slice 3 is the “working area” on this 120G drive and is the slice that you will make available for receiving your evidence, using the mount command shown in green in line 8 below.

Once you confirm which drive is which, you are ready to go. Lets assume that your forensic drive is disk0, the suspect’s drive is disk1, and the Target drive is disk2.

Because we turned off disk arbitration, however, the target drive isn't available to receive the image. We therefore need to mount the Target drive; specifically slice 3 of disk2.

Typesudo mount –t hfs /dev/disk2s3 /Volumes/Target.

If you are still unsure about which drive is which, you can verify things because Target now has a BSD name. To clear the Terminal screen, hold down the command key and type

k

Then, type

ioreg -l

Buried in the resulting display is information about the connected drives. Go to the Terminal Menu>Edit>Find. Search for disk1. Scroll through the hits and you should see the make and model number for disk1. If a search for disk2 comes up empty, then you know it is the unmounted drive.

At this point, you have the choice of imaging the suspect’s entire drive (recommended), or of just imaging the slice that you want. If you want to image the entire drive, type: